- #pragma once
- #define _WIN32_WINNT 0x0500
- #include"windows.h"
- #include"tlhelp32.h"
- #include"stdio.h"
- #include"NativeApi.h"
- #include"wchar.h"
- #include"psapi.h"//SDK6.0
- #pragma comment(lib,"psapi.lib")SDK6.0,不知道为什么vc6好像没有自带这个头文件??
- int GetUserPath(WCHAR* szModPath);
- BOOL GetProcessModule(DWORD dwPID)
- {
- BOOL bRet = FALSE;
- BOOL bFound = FALSE;
- HANDLE hModuleSnap = NULL;
- MODULEENTRY32 me32 ={0};
- hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照
- if(hModuleSnap == INVALID_HANDLE_VALUE)
- {
- printf("获取模块失败!\n");
- return FALSE;
- }
- me32.dwSize = sizeof(MODULEENTRY32);
- if(::Module32First(hModuleSnap,&me32))//获得第一个模块
- {
- do{
- printf("方法1列模块名:%s\n",me32.szExePath);
- }while(::Module32Next(hModuleSnap,&me32));
- }//递归枚举模块
- CloseHandle(hModuleSnap);
- return bFound;
- }
- bool ForceLookUpModule(DWORD dwPID)
- {
- typedef DWORD( WINAPI *FunLookModule)(
- HANDLE ProcessHandle,
- DWORD BaseAddress,
- DWORD MemoryInformationClass,
- DWORD MemoryInformation,
- DWORD MemoryInformationLength,
- DWORD ReturnLength );
- HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ;
- if(hModule==NULL)
- {
- return FALSE;
- }
- FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory");
- if(ZwQueryVirtualMemory==NULL)
- {
- return FALSE;
- }
- HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID);
- if(hProcess==NULL)
- return FALSE;
- PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME) malloc(0x200u);
- DWORD retLength;
- WCHAR Path[256]={0};
- wchar_t wstr[256]={0};
- for(unsigned int i=0;i<0x7fffffff;i=i+0x10000)
- {
- if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0)
- {
- if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1))
- {
- if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c)
- {
- if(wcscmp(wstr, Out_Data->SectionFileName.Buffer))
- {
- _wsetlocale(0,L"chs");
- GetUserPath(Out_Data->SectionFileName.Buffer);
- wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer);
- }
- wcscpy(wstr, Out_Data->SectionFileName.Buffer);
- }
- }
- }
- }
- CloseHandle(hProcess);
- return TRUE;
- }
- int GetUserPath(WCHAR* szModPath)
- { //\Device\HarddiskVolume1,
- WCHAR Path[256]={0};
- WCHAR* Temp3=new WCHAR[3];
- Temp3[2]='\0';
- Temp3[1]=':';
- THead* phead=new THead;
- phead->Next=NULL;
- phead->Num=szModPath[22];
- for(int i='C';i<='Z';i++)
- {Temp3[0]=i;
- if(QueryDosDeviceW(Temp3,Path,30))
- if(phead->Num==Path[22])
- {
- phead->Disk=(WCHAR)i;
- break;
- }
- }
- szModPath[0]=phead->Disk;
- szModPath[1]=':';
- szModPath[2]='\0';
- wcscpy(Path,szModPath+23);
- wcscat(szModPath,Path);
- delete phead;
- delete Temp3;
- return 0;
- }
- BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的
- {
- BOOL fOk = FALSE;
- HANDLE hToken;
- if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
- {
- TOKEN_PRIVILEGES tp;
- tp.PrivilegeCount = 1;
- LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
- tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
- AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
- fOk = (GetLastError() == ERROR_SUCCESS);
- CloseHandle(hToken);
- }
- else
- {
- return 0;
- }
- return(fOk);
- }
- void EnumModlueAll(DWORD dwPID)
- {
- HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID);
- if(hProcess==INVALID_HANDLE_VALUE)
- { printf(" open process failed!\n");
- return;
- }
- DWORD size=0,ret=0;
- EnumProcessModules(hProcess,NULL,size,&ret);
- HMODULE *parry=(HMODULE*)malloc(ret+4);
- memset(parry,0,ret+4);
- if(EnumProcessModules(hProcess,parry,ret+4,&ret))
- {
- char* path=new char[MAX_PATH];
- memset(path,0,MAX_PATH);
- UINT i=0;
- while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH))
- {
- printf("方法3模块:%s\n",path);
- memset(path,0,MAX_PATH);
- i++;
- }
- delete path;
- }
- free(parry);
- CloseHandle(hProcess);
- }
- void EnumModuleEx(DWORD dwPID)
- {
- DWORD status;
- HMODULE hMod=GetModuleHandle("ntdll.dll");
- RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer");
- RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation");
- RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer");
- if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL))
- {
- printf("函数定位失败!\n");
- return ;
- }
- PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE);
- status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer);
- if(status<0)
- {
- printf("RtlQueryProcessDebugInformation函数调用失败,进程开了保护\n");
- return ;
- }
- ULONG count=*(PULONG)(Buffer->ModuleInformation);
- ULONG hModule=NULL;
- PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4);
- for(ULONG i=0;i<count;i++)
- {
- printf("方法4列出的模块:%s\n",ModuleInfo->ImageName);
- ModuleInfo++;
- }
- RtlDestroyQueryDebugBuffer(Buffer);
- }
- void EnumSelfModule()
- {
- void *PEB = NULL,
- *Ldr = NULL,
- *Flink = NULL,
- *p = NULL,
- *BaseAddress = NULL,
- *FullDllName = NULL;
- printf("列举自身模块!\n");
- __asm
- {
- mov eax,fs:[0x30]
- mov PEB,eax
- }
- printf( "PEB = 0x%08X\n", PEB );
- Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
- printf( "Ldr = 0x%08X\n", Ldr );
- Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) );
- printf( "Flink = 0x%08X\n", Flink );
- p = Flink;
- do
- {
- BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) );
- FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) );
- printf( "p = 0x%08X 0x%08X ", p, BaseAddress );
- wprintf( L"%s\n", FullDllName );
- p = *( ( void ** )p );
- }
- while ( Flink != p );
- return;
- }
- #define PAGE_SIZE 0x1000
- void Search();
- bool IsValidModule(ULONG i);
- bool PrintModule();
- void main();
- bool IsValidModule(byte* i)
- { if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))
- return false;
- IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;
- PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);
- if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))
- return false;
- if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件
- return false;
- if(NtHead->OptionalHeader.Subsystem==0x2)
- return true;
- if(NtHead->OptionalHeader.Subsystem==0x3)
- return true;
- return false;
- }
- void Search()
- { printf("暴力搜索列举模块!\n");
- UCHAR* i=(PUCHAR)0x10000000;
- int Num=0;
- for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE)
- {
- if(IsValidModule(i))
- {
- printf("\t\t find a module at %08x\n",i);
- Num++;
- }
- }
- printf("\t\t total find module :%03d\n",Num);
- }
- void main()
- {
- EnableDebugPrivilege(true);
- EnumModlueAll(4228);
- ForceLookUpModule(4228);
- getchar();
- GetProcessModule(4228);
- EnumModuleEx(4228);
- getchar();
- EnumSelfModule();
- getchar();
- Search();
- printf("按任意键退出........");
- getchar();
- }
原文地址:http://blog.csdn.net/yincheng01/article/details/8107293